Inactive IAM account keys detected

AWS Remediation Knowledge Base > Security

Inactive IAM account keys detected

☰

Reduce your AWS costs by 50% on auto-pilot.

Get Started

Risk-free commitment

Management Automatically pause idle resources

Automatically automatize your EKS cost

Book a Demo › |

Identify and deactivate any unnecessary IAM access keys as a security best practice. AWS allows you to assign maximum two active access keys but it is recommended only during the key rotation process. nOps strongly recommends to deactivate the old key once the new one has been created so that only one access key remain active for a given IAM user.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

Audit

To determine if your AWS IAM users have unnecessary active access keys, perform the following:

1. Sign in to the AWS Management Console.

2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

3. In the left navigation panel, choose Users.

4. Click on the IAM user name that you want to examine.

5. On the IAM user configuration page, select Security Credentials tab.

6. Under Access Keys section, in the Status column, check the current status for each access key associated with the IAM user. If the selected IAM user has more than one access keys activated , the user access configuration do not adhere to AWS IAM security best practices and the risk of accidental exposures increases.

7. Repeat steps no. 4 – 6 for each IAM user that you want to examine, available in your AWS account.

1. Run list-users command (OSX/Linux/UNIX) to list all IAM users within your account

aws iam list-users \\
	--query 'Users[*].UserName'

2. The command output should return an array that contains all your IAM user names

[
    "circleci_terraform",
    "github-ecr",
    "kops",
    "lihao",
    "ncall",
		...
    "nCodeLibrary",
    "ndata-circleci",
    "ndata_backend",
    "okta",
    "pmoosh",
]

3. Run list-access-keys command (OSX/Linux/UNIX) using the IAM user name that you want to examine as command parameter to return the current status of each access key associated with the selected IAM user:

aws iam list-access-keys \\
	--user-name nCodeLibrary

4. The command output should expose the metadata (ID, status, creation date, etc) for each access key:

{
    "AccessKeyMetadata": [
        {
            "UserName": "nCodeLibrary",
            "AccessKeyId": "AAAABBBBCCCCDDDDEEEE",
            **"Status": "Active",**
            "CreateDate": "2021-07-19T17:32:27+00:00"
        },
        {
            "UserName": "nCodeLibrary",
            "AccessKeyId": "EEEEDDDDCCCCBBBBAAAA",
            **"Status": "Active",**
            "CreateDate": "2021-07-20T20:19:39+00:00"
        }
    ]
}

Check the Status property value (highlighted) for each key returned to determine each key current state. If the Status property value for both IAM access keys is set to Active, the user access configuration do not adhere to AWS IAM security best practices and the risk of accidental exposures increases.

5. Repeat steps no. 3 and 4 for each IAM user that you want to examine, available in your AWS account.

Remediation / Resolution

To deactivate any unnecessary IAM access keys, you need to perform the following:

1. Sign in to the AWS Management Console.

2. Navigate to IAM dashboard at https://console.aws.amazon.com/iam/.

3. In the left navigation panel, choose Users.

4. Click on the IAM user name that you want to examine.

5. On the IAM user configuration page, select Security Credentials tab. select Security Credentials tab.

6. In Access Keys section, choose one access key that will be used to provide access to AWS resources and update your application(s) code in order to utilize only the chosen key pair. Test your application(s) to make sure that the chosen access key is working.

7. In the same Access Keys section, identify your non-operational access key (other than the chosen one) and deactivate it by clicking the Make Inactive link:

8. In the Change Key Status confirmation box, click Deactivate to switch off the selected key.

9. Repeat steps no. 4 – 8 for each IAM user available in your AWS account.

1. Update and test your application(s) code with the chosen access key ID and secret access key.

2. Run update-access-key command (OSX/Linux/UNIX) using the IAM user name and its non-operational access key ID as command parameters to deactivate the unnecessary key.

See the Audit section part II (AWS CLI) to identify the unnecessary access key ID for the selected IAM user.

3. The following example deactivates an access key with the ID AAAABBBBCCCCDDDDEEEE for an IAM user with the name nCodeLibrary (the command does not return any output):

aws iam update-access-key \\
	--access-key-id AAAABBBBCCCCDDDDEEEE \\
	--status Inactive \\
	--user-name nCodeLibrary

Run again list-access-keys command (OSX/Linux/UNIX) to make sure that the selected access key pair has been successfully deactivated:

aws iam list-access-keys \\
	--user-name nCodeLibrary

4. The command output should expose the metadata for each access key associated with the IAM user.

If the non-operational key pair Status is set to Inactive, the key has been successfully switched off and the IAM user access configuration adheres now to security best practices.

{
    "AccessKeyMetadata": [
        {
            "UserName": "nCodeLibrary",
            "AccessKeyId": "AAAABBBBCCCCDDDDEEEE",
            "Status": "Inactive",
            "CreateDate": "2021-07-19T17:32:27+00:00"
        },
        {
            "UserName": "nCodeLibrary",
            "AccessKeyId": "EEEEDDDDCCCCBBBBAAAA",
            "Status": "Active",
            "CreateDate": "2021-07-20T20:19:39+00:00"
        }
    ]
}

5. Repeat steps no. 1 – 4 for each IAM user available in your AWS account.

Still Need Help?

Come see why we are the #1 cloud management platform and why companies like Uber, Dickey’s BBQ Pit and Norwegian Cruise Line trust nOps to manage their cloud.